MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86
SHA3-384 hash: 6ab56804183ee5206266107251cda83f6faec11f6462447c77343e5b502733ad27ba8b076af2713ddaae7d52d759b5e7
SHA1 hash: 25046cada93cfeaa03a45d34bd27261048daca2d
MD5 hash: 0ceb75b3549b35c8942e3dbef608a976
humanhash: quebec-hydrogen-hawaii-may
File name:compiled_report_2020_xls.exe
Download: download sample
File size:68'712 bytes
First seen:2020-12-28 19:22:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 1536:d14PffhH4VouJJY7MbebHUnHJFXiB0+eA7mrOuibeaictncUPbWRjiSNhzHUf1F:Hsffh4PbiUH/XG0nAKrOu2WRjiwUF
Threatray 65 similar samples on MalwareBazaar
TLSH EC639296230DBF42F59787357203E137AA41463732AF4BB0E5721B6DCA5168867A3EC3
Reporter cocaman
Tags:BitRAT exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Dec 27 14:07:39 2020 GMT
Valid to:Dec 27 14:07:39 2021 GMT
Serial number: 8B3653CA58408189362DCF4FFE53BF6E
Thumbprint Algorithm:SHA256
Thumbprint: B301B0A30EEA4BA0C97D30B158620E09FDFBC298A410DFA860211BBD3A881A0A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
compiled_report_2020_xls.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 19:23:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c45c2cee-2e8c-4187-a775-c5f953e86828

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent04
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109612/
Detection(s):
SecuriteInfo.com.Fareit-FUW0CEB75B3549B.28406.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Creating a file
Creating a window
Setting a global event handler
Sending a TCP request to an infection source
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/570983
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 334548 Sample: compiled_report_2020_xls.exe Startdate: 28/12/2020 Architecture: WINDOWS Score: 64 32 Multi AV Scanner detection for submitted file 2->32 34 Connects to a pastebin service (likely for C&C) 2->34 7 compiled_report_2020_xls.exe 15 4 2->7         started        process3 dnsIp4 28 hastebin.com 172.67.143.180, 443, 49720 CLOUDFLARENETUS United States 7->28 26 C:\Users\...\compiled_report_2020_xls.exe.log, ASCII 7->26 dropped 36 Injects a PE file into a foreign processes 7->36 38 Contains functionality to hide a thread from the debugger 7->38 12 compiled_report_2020_xls.exe 1 7->12         started        16 cmd.exe 1 7->16         started        18 compiled_report_2020_xls.exe 7->18         started        20 compiled_report_2020_xls.exe 7->20         started        file5 signatures6 process7 dnsIp8 30 79.134.225.40, 49730, 49734, 49735 FINK-TELECOM-SERVICESCH Switzerland 12->30 40 Hides threads from debuggers 12->40 22 conhost.exe 16->22         started        24 timeout.exe 1 16->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 19:15:48 UTC
File Type:
PE (.Net Exe)
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
22ba4198dd80989673a5db96ec9a50b4bbd45931c98636aba17443d638ef937c
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
34fea0ffa5d9e73cf376929c94e5e4ab31a7781f51c0e0e08012b714e7851e4d
717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
9ed20e145000de987d91695be5537f6b3cadec06e47254d768e158c3a7582bb7
a724bc0aa0fe8122c3ff1d2d8c90e717c506f3aaea8060f89559250d4fe89ed1
bdd18f3aa33fa9598b5fbf01f137f8f651f23371adc6d759bbc8fdc617aca6ef
d6964f92949edac5e3f2b740a6c2fa121eb1539f5a291ee7d4cc5cd55cadd49d
edc94fa5e8c239bd9e5ad814faed3b3d0089f63d98ffe5c70e7401652e6636ca
+ 55 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201228-vgve41fxdj/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86
MD5 hash:
0ceb75b3549b35c8942e3dbef608a976
SHA1 hash:
25046cada93cfeaa03a45d34bd27261048daca2d
Link:
https://www.unpac.me/results/297fd1d3-707a-4342-835b-9f4861f5e227/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/943938/
  
URLhaus
https://urlhaus.abuse.ch/url/943950/
Cape
Cape
https://www.capesandbox.com/analysis/109612/

Comments